Privacy Policy

1. Overview

Entity Ally ("we", "us") provides automated monitoring of public Florida Division of Corporations records. This Privacy Policy explains what data we collect, why, how we protect it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data We Collect

• Account data: email address, hashed password, and (optionally) display name and role.
• Authentication metadata: session refresh tokens and the User-Agent string of the device that authenticated.
• Monitored entity selections: which Florida business records you have asked us to track.
• Billing data: a Creem customer ID and subscription state. Card data is handled by Creem; we never see or store it.
• Operational logs: request timestamps, error traces, and email delivery results, kept for security and debugging.

We do not collect Florida public-record content about you personally — we only re-index entities you have explicitly added to your watchlist.

3. How We Use Data

• To provide the monitoring service and send the alert emails you signed up for.
• To process payments and manage subscriptions via Creem.
• To authenticate you and protect against abuse (rate limiting, audit trails).
• To respond to support requests.
• To send a one-time reminder if you start a checkout but don't complete it (within 24 hours, with a one-click unsubscribe).

We do not sell personal data and we do not use it for third-party advertising, profiling, or training AI models. The only emails you may receive from us are: account and security notifications, the Sunbiz alerts you signed up for, billing receipts, and a single checkout-recovery reminder if you abandon a payment flow.

4. Legal Basis (GDPR)

We process your account, monitoring, and billing data on the basis of contractual necessity (Art. 6(1)(b) GDPR). We process operational logs on the basis of our legitimate interest (Art. 6(1)(f)) in keeping the service secure and reliable.

5. Sharing & Subprocessors

We share data only with the following subprocessors, strictly to run the service:

• Creem — payment processing.
• Resend — transactional email delivery.
• Google — optional Google Sign-In.
• Our hosting provider — application servers and the Postgres database.

6. Data Retention

Account data is retained while your account is active. After you request deletion, we anonymize your account record (replacing identifying fields with placeholders) and retain only the rows required to preserve the integrity of historical billing and alert audit logs. Anonymized records cannot be re-associated with you.

7. Security

Passwords are hashed with bcrypt. Session refresh tokens are stored only as SHA-256 hashes on our servers and delivered to your browser as HttpOnly, Secure, SameSite cookies. Traffic is served over TLS. We restrict production database access to a small number of operators.

8. Cookies

We use a single first-party cookie ( sb_refresh) to keep you signed in across page reloads. It is HttpOnly, scoped to the auth API path, and contains a session refresh token. We do not use third-party advertising or tracking cookies.

9. Your Rights (GDPR / CCPA)

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your account and personal data.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Lodge a complaint with your local data-protection authority.

California residents additionally have the right to know what personal information is collected and to request that we not sell personal information — which we already do not do.

10. Deleting Your Account

You can permanently delete your account from your dashboard settings. Deletion immediately revokes your sessions and anonymizes your account. If you have an active paid subscription, please cancel it from the billing portal first; otherwise your card will continue to be charged by our payment processor.

11. Children's Privacy

The service is intended for business users. We do not knowingly collect data from anyone under 16.

12. International Transfers

Our infrastructure is located in the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S.

13. Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect.

14. Contact

For privacy questions, data-access requests, or complaints, contact us at privacy@entityally.com.